diff options
Diffstat (limited to 'doc/administration/auth/ldap.md')
| -rw-r--r-- | doc/administration/auth/ldap.md | 72 |
1 files changed, 1 insertions, 71 deletions
diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index 067fdfd0018..12a42ec0a1e 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -552,74 +552,4 @@ be mandatory and clients cannot be authenticated with the TLS protocol. ## Troubleshooting -If a user account is blocked or unblocked due to the LDAP configuration, a -message will be logged to `application.log`. - -If there is an unexpected error during an LDAP lookup (configuration error, -timeout), the login is rejected and a message will be logged to -`production.log`. - -### Debug LDAP user filter with ldapsearch - -This example uses `ldapsearch` and assumes you are using ActiveDirectory. The -following query returns the login names of the users that will be allowed to -log in to GitLab if you configure your own user_filter. - -```shell -ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$base" "$user_filter" sAMAccountName -``` - -- Variables beginning with a `$` refer to a variable from the LDAP section of - your configuration file. -- Replace `ldaps://` with `ldap://` if you are using the plain authentication method. - Port `389` is the default `ldap://` port and `636` is the default `ldaps://` - port. -- We are assuming the password for the bind_dn user is in bind_dn_password.txt. - -### Invalid credentials when logging in - -- Make sure the user you are binding with has enough permissions to read the user's - tree and traverse it. -- Check that the `user_filter` is not blocking otherwise valid users. -- Run the following check command to make sure that the LDAP settings are - correct and GitLab can see your users: - - ```shell - # For Omnibus installations - sudo gitlab-rake gitlab:ldap:check - - # For installations from source - sudo -u git -H bundle exec rake gitlab:ldap:check RAILS_ENV=production - ``` - -### Connection refused - -If you are getting 'Connection Refused' errors when trying to connect to the -LDAP server please double-check the LDAP `port` and `encryption` settings used by -GitLab. Common combinations are `encryption: 'plain'` and `port: 389`, OR -`encryption: 'simple_tls'` and `port: 636`. - -### Connection times out - -If GitLab cannot reach your LDAP endpoint, you will see a message like this: - -```plaintext -Could not authenticate you from Ldapmain because "Connection timed out - user specified timeout". -``` - -If your configured LDAP provider and/or endpoint is offline or otherwise unreachable by GitLab, no LDAP user will be able to authenticate and log in. GitLab does not cache or store credentials for LDAP users to provide authentication during an LDAP outage. - -Contact your LDAP provider or administrator if you are seeing this error. - -### No file specified as Settingslogic source - -If `sudo gitlab-ctl reconfigure` fails with the following error, or you are seeing it in -the logs, you may have malformed YAML in `/etc/gitlab/gitlab.rb`: - -```plaintext -Errno::ENOENT: No such file or directory - No file specified as Settingslogic source -``` - -This issue is frequently due to the spacing in your YAML file. To fix the problem, -verify the syntax with **spacing** against the -[documentation for the configuration of LDAP](#configuration). +Please see our [administrator guide to troubleshooting LDAP](ldap-troubleshooting.md). |